b'AUDIT OF COMPLIANCE WITH STANDARDS GOVERNING\n COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE\n      TENNESSEE BUREAU OF INVESTIGATION\n      MEMPHIS REGIONAL CRIME LABORATORY\n              MEMPHIS, TENNESSEE\n\n            U.S. Department of Justice \n\n          Office of the Inspector General \n\n                   Audit Division \n\n           Audit Report GR-40-11-005 \n\n                   June 2011\n\n\x0c  AUDIT OF COMPLIANCE WITH STANDARDS GOVERNING \n\n   COMBINED DNA INDEX SYSTEM ACTIVITIES AT THE \n\n        TENNESSEE BUREAU OF INVESTIGATION \n\n        MEMPHIS REGIONAL CRIME LABORATORY \n\n               MEMPHIS, TENNESSEE \n\n\n                            EXECUTIVE SUMMARY\n\n\n\n      The Department of Justice Office of the Inspector General (OIG), Audit\nDivision, has completed an audit of compliance with standards governing\nCombined DNA Index System (CODIS) activities at the Tennessee Bureau of\nInvestigation, Memphis Regional Crime Laboratory (Laboratory).\n\nBackground\n\n      The Federal Bureau of Investigation\xe2\x80\x99s (FBI) CODIS program combines\nforensic science and computer technology to provide an investigative tool to\nfederal, state, and local crime laboratories in the United States, as well as\nthose from select international law enforcement agencies. The CODIS\nprogram allows these crime laboratories to compare and match DNA profiles\nelectronically to assist law enforcement in solving crimes and identifying\nmissing or unidentified persons.1 The FBI\xe2\x80\x99s CODIS Unit manages CODIS, as\nwell as develops, supports, and provides the program to crime laboratories\nto foster the exchange and comparison of forensic DNA evidence.\n\n      The FBI implemented CODIS as a distributed database with\nhierarchical levels that enables federal, state, and local crime laboratories to\ncompare DNA profiles electronically. The hierarchy consists of three distinct\nlevels that flow upward from the local level to the state level and then, if\nallowable, the national level. The National DNA Index System (NDIS), the\nhighest level in the hierarchy, contains DNA profiles uploaded by law\nenforcement agencies across the United States and is managed by the FBI.\nNDIS enables the laboratories participating in the CODIS program to\ncompare electronically DNA profiles on a national level. The State DNA\nIndex System (SDIS) is used at the state level to serve as a state\xe2\x80\x99s DNA\n\n\n       1\n         DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells\nthat contains encoded information necessary for building and maintaining life.\nApproximately 99.9 percent of human DNA is the same for all people. The differences found\nin the remaining 0.1 percent allow scientists to develop a unique set of DNA identification\ncharacteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.\n\n\n                                             i\n\x0cdatabase and contains DNA profiles from local laboratories and state\noffenders. The Local DNA Index System (LDIS) is used by local laboratories.\n\nOIG Audit Objectives\n\n      Our audit generally covered the period from March 2009 through\nFebruary 2011. However, our sample of forensic profiles selected for review\nwas from the Laboratory\xe2\x80\x99s entire universe of forensic profiles. The\nobjectives of our audit were to determine if: (1) the Tennessee Bureau of\nInvestigation, Memphis Regional Crime Laboratory was in compliance with\nthe NDIS participation requirements; (2) the Laboratory was in compliance\nwith the Quality Assurance Standards (QAS) issued by the FBI; and (3) the\nLaboratory\xe2\x80\x99s forensic DNA profiles in CODIS databases were complete,\naccurate, and allowable for inclusion in NDIS.\n\n     Our review determined the following:\n\n  \xef\x82\xb7\t The Laboratory complied with NDIS participation requirements tested\n     except that it was not storing a copy of the CODIS database\n     backup off-site in a lockable container on a monthly basis and it did\n     not provide documentation during our audit that it responded to a\n     request from another laboratory to confirm an NDIS match. The\n     laboratory was in compliance with the remaining NDIS participation\n     requirements reviewed. The Laboratory should ensure its written\n     procedures address NDIS participation requirements pertaining to\n     safeguarding CODIS data.\n\n  \xef\x82\xb7\t The Laboratory complied with the Forensic QAS tested. Specifically,\n     we found that the Laboratory complied with the FBI\xe2\x80\x99s QAS with respect\n     to QAS reviews, laboratory security, protection of the integrity of\n     evidence, separation of known and unknown samples, and the\n     retention of samples and extracts after analysis.\n\n  \xef\x82\xb7\t We reviewed 100 of the 603 forensic profiles the Laboratory had\n     uploaded to NDIS as of February 2, 2011. Of the 100 forensic profiles\n     sampled, 4 were unallowable for upload to NDIS. The unallowable\n     profiles either belonged to a victim, were taken from the suspect\xe2\x80\x99s\n     person, or could not be connected to evidence found at the crime\n     scene. The CODIS Administrator removed the four profiles from NDIS\n     during our on-site work. The remaining 96 profiles we reviewed were\n     complete, accurate, and allowable for inclusion in NDIS. Four\n     unallowable profiles were processed by the Laboratory in 2007 and\n     earlier; therefore it appears the Laboratory has improved its\n     procedures for ensuring that allowable profiles are uploaded to NDIS.\n\n\n                                     ii\n\x0c      We made two recommendations to address the Laboratory\xe2\x80\x99s\ncompliance with standards governing CODIS activities, which are discussed\nin detail in the Findings and Recommendations section of the report. Our\naudit objectives, scope, and methodology are detailed in Appendix I of the\nreport and the audit criteria are detailed in Appendix II.\n\n      We discussed the results of our audit with Laboratory officials and\nhave included their comments in the report as applicable. In addition, we\nrequested a written response to a draft of our report from the FBI and the\nLaboratory. In its response, the Laboratory agreed that it should be storing\na monthly backup copy of the CODIS database in an off-site lockable\ncontainer and provided us a copy of a form that it will use to track\nfuture compliance with this NDIS requirement. The Laboratory also\nprovided a copy of an e-mail response to another laboratory regarding a\nmatch confirmation request. The e-mail was not available to us during the\naudit, and the CODIS Administrator obtained it from the initiating laboratory\nafter we completed our audit. The FBI agreed with the corrective actions\ntaken by the Laboratory.\n\n\n\n\n                                      iii\n\x0c                                TABLE OF CONTENTS\n\n\n\nINTRODUCTION ................................................................................ 1\n\n   Background .................................................................................... 1 \n\n   OIG Audit Objectives ....................................................................... 1 \n\n   Legal Foundation for CODIS.............................................................. 1 \n\n   CODIS Structure ............................................................................. 2 \n\n   Laboratory Information .................................................................... 6 \n\n\nFINDINGS AND RECOMMENDATIONS................................................ 7\n\n   I.    Compliance with NDIS Participation Requirements ......................... 7 \n\n   II.   Compliance with Quality Assurance Standards ............................ 10 \n\n   III. Suitability of Forensic DNA Profiles in CODIS Databases ............... 13 \n\n\nAPPENDIX I: OBJECTIVES, SCOPE, AND METHODOLOGY ............... 16\n\n\nAPPENDIX II: AUDIT CRITERIA ..................................................... 19\n\n   NDIS Participation Requirements..................................................... 19 \n\n   Quality Assurance Standards .......................................................... 20 \n\n   Office of the Inspector General Standards......................................... 21\n\n\nAPPENDIX III: FEDERAL BUREAU OF INVESTIGATION\n              RESPONSE\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.23\n\nAPPENDIX IV: \tTENNESSEE BUREAU OF INVESTIGATION\n              MEMPHIS REGIONAL CRIME LABORATORY\n              RESPONSE\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.24\n\nAPPENDIX V: \tOFFICE OF THE INSPECTOR GENERAL ANALYSIS \n\n             AND SUMMARY OF ACTIONS TAKEN TO\n\n             CLOSE REPORT\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..26 \n\n\x0cINTRODUCTION\n\n\n      The Department of Justice Office of the Inspector General (OIG), Audit\nDivision, has completed an audit of compliance with standards governing\nCombined DNA Index System (CODIS) activities at the Tennessee Bureau of\nInvestigation, Memphis Regional Crime Laboratory (Laboratory).\n\nBackground\n\n       The Federal Bureau of Investigation\xe2\x80\x99s (FBI) CODIS provides an\ninvestigative tool to federal, state, and local crime laboratories in the\nUnited States using forensic science and computer technology. The CODIS\nprogram allows these laboratories to compare and match DNA profiles\nelectronically, thereby assisting law enforcement in solving crimes and\nidentifying missing or unidentified persons.1 The FBI\xe2\x80\x99s CODIS Unit manages\nCODIS and is responsible for its use in fostering the exchange and\ncomparison of forensic DNA evidence.\n\nOIG Audit Objectives\n\n      We conducted our audit from March 2009 through February 2011.\nHowever, our sample of forensic profiles selected for review was from the\nLaboratory\xe2\x80\x99s entire universe of forensic profiles. The objectives of our audit\nwere to determine if: (1) the Tennessee Bureau of Investigation, Memphis\nRegional Crime Laboratory was in compliance with the National DNA Index\nSystem (NDIS) participation requirements; (2) the Laboratory was in\ncompliance with the Quality Assurance Standards (QAS) issued by the FBI;\nand (3) the Laboratory\xe2\x80\x99s forensic DNA profiles in CODIS databases were\ncomplete, accurate, and allowable for inclusion in NDIS. Appendix I contains\na detailed description of our audit objectives, scope, and methodology; and\nAppendix II contains the criteria used to conduct our audit.\n\nLegal Foundation for CODIS\n\n      The FBI\xe2\x80\x99s CODIS program began as a pilot project in 1990. The DNA\nIdentification Act of 1994 (Act) authorized the FBI to establish a national\nindex of DNA profiles for law enforcement purposes. The Act, along with\n\n       1\n         DNA, or deoxyribonucleic acid, is genetic material found in almost all living cells\nthat contains encoded information necessary for building and maintaining life.\nApproximately 99.9 percent of human DNA is the same for all people. The differences found\nin the remaining 0.1 percent allow scientists to develop a unique set of DNA identification\ncharacteristics (a DNA profile) for an individual by analyzing a specimen containing DNA.\n\n\n                                             1\n\n\x0csubsequent amendments, has been codified in a federal statute (Statute)\nproviding the legal authority to establish and maintain NDIS.2\n\nAllowable DNA Profiles\n\n      The Statute authorizes NDIS to contain the DNA identification records\nof persons convicted of crimes, persons who have been charged in an\nindictment or information with a crime, and other persons whose DNA\nsamples are collected under applicable legal authorities. Samples voluntarily\nsubmitted solely for elimination purposes are not authorized for inclusion in\nNDIS. The Statute also authorizes NDIS to include analysis of DNA samples\nrecovered from crime scenes or from unidentified human remains, as well as\nthose voluntarily contributed from relatives of missing persons.\n\nAllowable Disclosure of DNA Profiles\n\n      The Statute requires that NDIS only include DNA information that is\nbased on analyses performed by or on behalf of a criminal justice agency \xe2\x80\x93\nor the U.S. Department of Defense \xe2\x80\x93 in accordance with the QAS issued by\nthe FBI. The DNA information in the index is authorized to be disclosed\nonly: (1) to criminal justice agencies for law enforcement identification\npurposes; (2) in judicial proceedings, if otherwise admissible pursuant to\napplicable statutes or rules; (3) for criminal defense purposes, to a\ndefendant who shall have access to samples and analyses performed in\nconnection with the case in which the defendant is charged; or (4) if\npersonally identifiable information (PII) is removed for a population statistics\ndatabase, for identification research and protocol development purposes, or\nfor quality control purposes.\n\nCODIS Structure\n\n       The FBI implemented CODIS as a distributed database with\nhierarchical levels that enables federal, state, and local crime laboratories to\ncompare DNA profiles electronically. CODIS consists of a hierarchy of three\ndistinct levels: (1) NDIS, managed by the FBI as the nation\xe2\x80\x99s DNA database\ncontaining DNA profiles uploaded by participating states; (2) the State DNA\nIndex System (SDIS), which serves as a state\xe2\x80\x99s DNA database containing\nDNA profiles from local laboratories within the state and state offenders; and\n(3) the Local DNA Index System (LDIS), used by local laboratories. DNA\nprofiles originate at the local level and then flow upward to the state and, if\nallowable, national level. For example, the local laboratory in the\n\n      2\n          42 U.S.C.A. \xc2\xa7 14132 (2006).\n\n\n                                        2\n\n\x0cPalm Beach County, Florida, Sheriff\xe2\x80\x99s Office sends its profiles to the state\nlaboratory in Tallahassee, which then uploads the profiles to NDIS. Each\nstate participating in CODIS has one designated SDIS laboratory. The SDIS\nlaboratory maintains its own database and is responsible for overseeing\nNDIS issues for all CODIS-participating laboratories within the state. The\ngraphic below illustrates how the system hierarchy works.\n\n                 Example of System Hierarchy within CODIS\n\n                                              NDIS\n                                   Maintained by the FBI\n\n\n\n\nSDIS                            SDIS                             SDIS\nLaboratory                      Laboratory                       Laboratory\nRichmond, CA                    Springfield, IL                  Tallahassee, FL\n\n\n\n                                  LDIS Laboratories (partial list):\n                                  DuPage County Sheriff\xe2\x80\x99s Office\n                                  Illinois State Police, Chicago\n                                  Illinois State Police, Rockford\n\n LDIS Laboratories (partial list):                       LDIS Laboratories (partial list):\n Orange County Sheriff\xe2\x80\x99s Department                      Broward County Sheriff\xe2\x80\x99s Office\n San Bernardino County Sheriff\xe2\x80\x99s Department              Miami-Dade Police Department\n San Diego Police Department                             Palm Beach County Sheriff\xe2\x80\x99s Office\n\n\n\nNational DNA Index System\n\n       NDIS, the highest level in the CODIS hierarchy, enables laboratories\nparticipating in the CODIS program to compare electronically DNA profiles on\na national level. NDIS does not contain names or other PII about the\nprofiles. Therefore, matches are resolved through a system of laboratory-\nto-laboratory contacts. NDIS contains the following eight searchable\nindices:\n\n\n\n\n                                                  3\n\n\x0c  \xef\x82\xb7\t   Convicted Offender Index contains profiles generated from persons\n       convicted of qualifying offenses.3\n\n  \xef\x82\xb7\t   Arrestee Index is comprised of profiles developed from persons who\n       have been arrested, indicted, or charged in an information with a\n       crime.\n\n  \xef\x82\xb7\t   Legal Index consists of profiles that are produced from DNA samples\n       collected from persons under other applicable legal authorities.4\n\n  \xef\x82\xb7\t   Detainee Index contains profiles from non-U.S. persons detained under\n       the authority of the United States and required by law to provide a\n       DNA sample for analysis and entry into NDIS.\n\n  \xef\x82\xb7\t   Forensic Index profiles originate from, and are associated with, \n\n       evidence found at crime scenes. \n\n\n  \xef\x82\xb7\t   Missing Person Index contains known DNA profiles of missing persons\n       and deduced missing persons.\n\n  \xef\x82\xb7\t   Unidentified Human (Remains) Index holds profiles from unidentified\n       living individuals and the remains of unidentified deceased individuals.5\n\n  \xef\x82\xb7\t   Relatives of Missing Person Index is comprised of DNA profiles\n       generated from the biological relatives of individuals reported missing.\n\n      Given these multiple databases, the main functions of CODIS are to:\n(1) generate investigative leads that may help in solving crimes and\n(2) identify missing and unidentified persons.\n\n      The Forensic Index generates investigative leads in CODIS that may\nhelp solve crimes. Investigative leads may be generated through matches\nbetween the Forensic Index and other indices in the system, including the\nConvicted Offender, Arrestee, and Legal Indices. These matches may\nprovide investigators with the identity of suspected perpetrators. CODIS\n\n\n       3\n        The phrase \xe2\x80\x9cqualifying offenses\xe2\x80\x9d refers to local, state, or federal crimes that\n\n require a person to provide a DNA sample in accordance with applicable laws.\n\n       4\n        An example of a Legal Index profile is one from a person found not guilty by \n\n reason of insanity who is required by the relevant state law to provide a DNA sample.\n\n       5\n         An example of an Unidentified Human (Remains) Index profile from a living person\n is a profile from a child or other individual, who cannot or refuses to identify themselves.\n\n\n                                              4\n\n\x0calso links crime scenes through matches between Forensic Index profiles,\npotentially identifying serial offenders.\n\n       In addition to generating investigative leads, CODIS furthers the\nobjectives of the FBI\xe2\x80\x99s National Missing Person DNA Database program\nthrough its ability to identify missing and unidentified individuals. For\ninstance, those persons may be identified through matches between the\nprofiles in the Missing Person Index and the Unidentified Human (Remains)\nIndex. In addition, the profiles within the Missing Person and Unidentified\nHuman (Remains) Indices may be vetted against the Forensic, Convicted\nOffender, Arrestee, Detainee, and Legal Indices to provide investigators with\nleads in solving missing and unidentified person cases.\n\nState and Local DNA Index Systems\n\n       The FBI provides CODIS software free of charge to any state or local\nlaw enforcement laboratory performing DNA analysis. Laboratories are able\nto use the CODIS software to upload profiles to NDIS. However, before a\nlaboratory is allowed to participate at the national level and upload DNA\nprofiles to NDIS, a Memorandum of Understanding (MOU) must be signed\nbetween the FBI and the applicable state\xe2\x80\x99s SDIS laboratory. The MOU\ndefines the responsibilities of each party, includes a sublicense for the use of\nCODIS software, and delineates the standards laboratories must meet in\norder to utilize NDIS. Although officials from LDIS laboratories do not sign\nan MOU, LDIS laboratories that upload DNA profiles to an SDIS laboratory\nare required to adhere to the MOU signed by the SDIS laboratory.\n\n       States are authorized to upload DNA profiles to NDIS based on local,\nstate, and federal laws, as well as NDIS regulations. However, states or\nlocalities may maintain NDIS-restricted profiles in SDIS or LDIS. For\ninstance, a local law may allow for the collection and maintenance of a\nvictim profile at LDIS but NDIS regulations do not authorize the upload of\nthat profile to the national level.\n\n       CODIS becomes more useful as the quantity of DNA profiles in the\nsystem increases because the potential for additional leads rises. However,\nthe utility of CODIS relies upon the completeness, accuracy, and quantity of\nprofiles that laboratories upload to the system. Incomplete CODIS profiles\nare those for which the required number of core loci were not tested or do\nnot contain all of the DNA information that resulted from a DNA analysis and\nmay not be searched at NDIS.6 The probability of a false match among DNA\nprofiles is reduced as the completeness of a profile increases. Inaccurate\n\n      6\n          A \xe2\x80\x9clocus\xe2\x80\x9d is a specific location on a chromosome. The plural form of locus is loci.\n\n                                               5\n\n\x0cprofiles, which contain incorrect DNA information or an incorrect specimen\nnumber, may generate false positive leads, false negative comparisons, or\nlead to the misidentification of a sample. Further, laws and regulations\nexclude certain types of profiles from being uploaded to CODIS to prevent\nviolations to an individual\xe2\x80\x99s privacy and foster the public\xe2\x80\x99s confidence in\nCODIS. Therefore, it is the responsibility of the Laboratory to ensure that it\nis adhering to the NDIS participation requirements and the profiles uploaded\nto CODIS are complete, accurate, and allowable for inclusion in NDIS.\n\nLaboratory Information\n\n      The Tennessee Bureau of Investigation, Memphis Regional Crime\nLaboratory participates in the CODIS program as an LDIS laboratory. The\nLaboratory opened in January 2002 and immediately began using DNA to\nprocess criminal cases and upload profiles to SDIS. The Laboratory\nperforms analysis on forensic samples only and has not outsourced the\nanalysis of forensic samples within the past 2 years. The American Society\nof Crime Laboratory Directors/Laboratory Accreditation Board first accredited\nthe Laboratory in April 2005 and reaccredited it in December 2009 for a\nperiod of 5 years.\n\n\n\n\n                                      6\n\n\x0c              FINDINGS AND RECOMMENDATIONS\n\n\n     I. Compliance with NDIS Participation Requirements\n\n     The Laboratory complied with NDIS participation requirements\n     tested except that it was not storing a copy of the CODIS\n     database backup at an off-site location and in a lockable\n     container on a monthly basis, and did not provide documentation\n     during our audit that it had responded to a request from another\n     laboratory to confirm an NDIS match.\n\n      The NDIS participation requirements, which consist of the MOU and\nthe NDIS Procedure Manual, establish the responsibilities and obligations of\nlaboratories that participate in the CODIS program at the national level. The\nMOU describes the CODIS-related responsibilities of both the Laboratory and\nthe FBI. The NDIS Procedure Manual is comprised of the NDIS operational\nprocedures and provides detailed instructions for laboratories to follow when\nperforming certain procedures pertinent to NDIS. The NDIS participation\nrequirements we reviewed are listed in Appendix II of this report.\n\nResults of the OIG Audit\n\n      We found that the Laboratory did not store a backup copy of the\nCODIS database in an off-site lockable container each month and it did not\nprovide documentation during our audit that it responded to a match\nconfirmation request from another laboratory. The Laboratory complied with\nother NDIS participation requirements we tested. The results of our audit\nare described in more detail below.\n\nMeasures to Safeguard CODIS\n\n      We interviewed the CODIS Administrator and conducted a walk-\nthrough tour of the Laboratory. We identified no significant concerns\nregarding the Laboratory\xe2\x80\x99s procedures for securing the CODIS server or the\nLaboratory\xe2\x80\x99s facilities. However, the CODIS Administrator was not aware of\nthe NDIS requirement to store monthly a copy of the CODIS database\nbackup at an off-site location and in a lockable container. During our audit\nwork, the CODIS Administrator contacted the State CODIS Administrator\nwho agreed to receive and securely store monthly a copy of the Laboratory\xe2\x80\x99s\nCODIS database backup. The Laboratory should ensure its written\nprocedures address NDIS participation requirements pertaining to\nsafeguarding CODIS data.\n\n\n                                     7\n\n\x0cNDIS Matches\n\n       NDIS offender match procedures require casework laboratories to\ninitiate the match process for offender candidate matches. Offender\nlaboratories should respond to the casework laboratory within 30 business\ndays of receipt of the request. In two of the four offender matches we\nreviewed, there was no record in the case folder that the Laboratory had\nrequested confirmation of the match. The CODIS Administrator could not\nexplain why there was no record of the confirmation request in the case\nfolder. However, in both instances, the offender laboratory confirmed the\nmatch within 30 business days of the National Match Detail Report. The\nCODIS Administrator told us that he began using a "CODIS Match\nConfirmation Process" checklist on or about July 2010 that tracks the match\nprocess from the "CODIS Match Date" to the date the "Submitting Agency\nInformed/Out of State Lab Informed," and that he would ensure that a\nrecord of the confirmation request was included in the case file in the future.\n\n      NDIS forensic match procedures permit either of the casework\nlaboratories to initiate the forensic match process and that the responding\nlaboratory should make a good faith effort to respond to the initiating\ncasework laboratory within 30 business days of receipt of the request. In\none forensic match we reviewed, the CODIS Administrator did not provide\ndocumentation during the audit of his confirmation response to the initiating\ncasework laboratory. This occurred because another laboratory identified a\nsuspect who matched the forensic profile and notified both the initiating\nlaboratory and the Memphis Laboratory. The CODIS Administrator at the\nMemphis Laboratory believed he did not need to respond to the initiating\ncasework laboratory\xe2\x80\x99s request for confirmation. However, NDIS match\nprocedures require that a laboratory respond to confirmation requests.\nSubsequent to our audit, the CODIS Administrator provided a copy of an\ne-mail showing he responded to the initiating laboratory\xe2\x80\x99s confirmation\nrequest. The CODIS Administrator obtained the e-mail from the initiating\nlaboratory after we completed our audit work.\n\n      We have established a 2-week standard in order to assess a\n                                                  7\nlaboratory\xe2\x80\x99s timely notification of investigators. From June 2003 to October\n2010, the Laboratory had 32 NDIS matches. We initially reviewed five of\nthese matches and found that for one match confirmed on June 4, 2010, the\nLaboratory informed investigators of the match 25 business days after the\nconfirmation. The CODIS Administrator could not explain the delay. To\ndetermine whether this delay was an anomaly, we selected three additional\nNDIS matches to determine if there were other instances when investigators\n\n      7\n          See Appendix II for an explanation of this OIG standard.\n\n                                             8\n\n\x0cwere not notified of confirmed matches in a timely manner. The Laboratory\nnotified investigators timely in all three additional matches tested. As a\nresult, we concluded that the Laboratory generally notified investigators of\nCODIS matches in a timely manner and make no recommendation regarding\nthe timely notification of investigators.\n\n       We found that the Laboratory complied with the other NDIS\nparticipation requirements we reviewed, as described below.\n\n  \xef\x82\xb7\t We interviewed the CODIS Administrator and reviewed documents to\n     determine that the Laboratory provided appropriate personnel with\n     copies of the NDIS procedures manual. We interviewed two CODIS\n     users and determined that they both understood NDIS procedures and\n     could access the procedures on the FBI\xe2\x80\x99s Criminal Justice Information\n     System Wide Area Network.\n\n  \xef\x82\xb7\t We verified with the FBI that all Laboratory CODIS users have \n\n     completed the 2011 DNA Records Acceptable at NDIS training. \n\n\n  \xef\x82\xb7\t For each CODIS user, the Laboratory is required to send certain\n     background and security information to the FBI. We verified that the\n     Laboratory submitted the required information to the FBI.\n\n  \xef\x82\xb7\t We determined the Laboratory complied with NDIS requirements\n     regarding the maintenance of personnel records.\n\nConclusion\n\n      The Laboratory was in compliance with NDIS participation\nrequirements tested except that it was not storing a backup copy of the\nCODIS database in an off-site lockable container on a monthly basis and did\nnot provide documentation during our audit that it had responded to a\nrequest from another laboratory for confirmation of an NDIS match.\n\nRecommendations\n\nWe recommend that the FBI:\n\n1. Ensure that the Laboratory stores a monthly backup copy of the CODIS\n   database in an off-site lockable container.\n\n2. Ensure that the Laboratory responds to requests for NDIS match\n   confirmations.\n\n\n                                     9\n\n\x0c       II. Compliance with Quality Assurance Standards\n\n       The Laboratory complied with the Forensic QAS we reviewed.\n       Specifically, we found that the Laboratory complied with the\n       FBI\xe2\x80\x99s QAS with respect to QAS reviews, laboratory security,\n       protection of the integrity of evidence, separation of known and\n       unknown samples, and the retention of samples and extracts\n       after analysis.\n\n      During our audit, we considered the Forensic QAS issued by the FBI.8\nThese standards describe the quality assurance requirements that the\nLaboratory must follow to ensure the quality and integrity of the data it\nproduces. We also assessed the two most recent QAS reviews that the\nlaboratory underwent.9 The QAS we reviewed are listed in Appendix II.\n\nResults of the OIG Audit\n\n       We found that the Laboratory complied with the Forensic QAS tested.\nSpecifically, we found that the Laboratory complied with the FBI\xe2\x80\x99s QAS with\nrespect to QAS reviews, laboratory security, protection of the integrity of\nevidence, separation of known and unknown samples, and the retention of\nsamples and extracts after analysis. These results are described in more\ndetail as follows.\n\n   \xef\x82\xb7\t We determined the Laboratory underwent a QAS review during each of\n      the last 2 calendar years as required by the QAS for laboratory\n      reviews. The Laboratory underwent a QAS review by internal\n      reviewers in November 2009 and by external reviewers in May 2010.\n\n   \xef\x82\xb7\t We reviewed the most recent QAS review reports provided by the\n      CODIS Administrator and determined that the FBI\xe2\x80\x99s QAS Review\n      Document was used to conduct the most recent external and internal\n      reviews. The FBI confirmed that the QAS reviewers for both reviews\n\n       8\n         Forensic Quality Assurance Standards refer to the Quality Assurance Standards for\nForensic DNA Testing Laboratories, effective July 1, 2009.\n       9\n          The QAS require that laboratories undergo annual audits. Every other year, the\nQAS require that the audit be performed by an external agency that performs DNA\nidentification analysis and is independent of the laboratory being reviewed These audits are\nnot required by the QAS to be performed in accordance with the Government Auditing\nStandards (GAS) and are not performed by the Department of Justice Office of the\nInspector General. Therefore, we will refer to the QAS audits as reviews (either an internal\nlaboratory review or an external laboratory review, as applicable) to avoid confusion with\nour audits that are conducted in accordance with GAS.\n\n\n                                            10 \n\n\x0c  had successfully completed the FBI QAS Review training course. There\n  were three findings in the last external review report and no findings in\n  the last internal review report. According to the last external review\n  report: (1) the Laboratory did not have and follow a documented\n  policy for monitoring contamination; (2) the Laboratory had not\n  defined the requirements for performance checks after repair, service,\n  or calibration of equipment; and (3) there was no documentation to\n  indicate that the laboratory used the date received, assigned date,\n  submitted date, or due date as the date the proficiency test is\n  performed. The three findings required modifications to the state\n  laboratory policies. The Laboratory System\'s Technical Manager made\n  the required changes to the state policies. These changes were\n  reviewed and approved by the Regional Laboratory Supervisor, the\n  Quality Assurance Manager, and the Assistant Director for Laboratory\n  Services. We also reviewed these changes to the state\xe2\x80\x99s laboratory\n  policies and determined that the changes appeared adequate to\n  address the QAS review findings. The state\xe2\x80\x99s CODIS Administrator\n  forwarded the Laboratory\xe2\x80\x99s most recent external QAS Review Report to\n  the FBI before the end of an extension period authorized by the FBI.\n\n\xef\x82\xb7\t We asked the QAS reviewer who conducted the most recent external\n   QAS review to certify that she had no impairments to her\n   independence. She provided us with this certification.\n\n\xef\x82\xb7\t We toured the Laboratory building and interviewed the CODIS\n   Administrator to determine that the facility appeared to have adequate\n   physical access controls in place.\n\n\xef\x82\xb7\t We toured the Laboratory building and reviewed policies to determine\n   that the Laboratory appeared to have adequate procedures in place to\n   ensure the integrity of physical evidence.\n\n\xef\x82\xb7\t We interviewed the CODIS Administrator and reviewed policies and\n   practices to determine that the Laboratory\xe2\x80\x99s policies and practices\n   regarding the separation of known and unknown samples during the\n   analysis process appeared to be adequate.\n\n\xef\x82\xb7\t We interviewed the CODIS Administrator and toured the Laboratory to\n   determine that the Laboratory appeared to be in compliance with\n   forensic standards governing the retention of samples and extracts\n   after analysis.\n\n\n\n\n                                  11 \n\n\x0c   \xef\x82\xb7\t We interviewed the Regional Laboratory Supervisor and determined\n      that the Laboratory had not outsourced the analysis of DNA samples\n      within the prior 2 years.\n\nConclusion\n\n      We determined that the Laboratory complied with the Forensic QAS we\nreviewed, including laboratory security, protecting the integrity of evidence,\nseparation of known and unknown samples, the retention of samples and\nextracts after analysis, as well as compliance with QAS reviews. We made\nno recommendations concerning our review of Quality Assurance Standards.\n\n\n\n\n                                     12 \n\n\x0c       III. Suitability of Forensic DNA Profiles in CODIS Databases\n\n       Of the 100 forensic profiles sampled, we found 4 were\n       unallowable for upload to NDIS. The unallowable profiles either\n       belonged to a victim, were taken from the suspect\xe2\x80\x99s person, or\n       could not be connected to evidence found at the crime scene.\n       The CODIS Administrator removed the four profiles from NDIS,\n       while we were on site. The remaining 96 profiles we reviewed\n       were complete, accurate, and allowable for inclusion in NDIS.\n\n       We reviewed a sample of the Laboratory\xe2\x80\x99s Forensic DNA profiles to\ndetermine whether each profile was complete, accurate, and allowable for\ninclusion in NDIS.10 To test the completeness and accuracy of each profile,\nwe established standards that require a profile include all the loci for which\nthe analyst obtained results, and that the values at each locus match those\nidentified during analysis. Our standards are described in more detail in\nAppendix II of this report.\n\n       The FBI\xe2\x80\x99s NDIS operational procedures establish the DNA data\nacceptance standards by which laboratories must abide. The FBI also\ndeveloped a flowchart as guidance for the laboratories for determining what\nis allowable in the forensic index at NDIS. Laboratories are prohibited from\nuploading forensic profiles to NDIS that clearly match the DNA profile of the\nvictim or another known person who is not a suspect. A profile at NDIS that\nmatches a suspect may be allowable if the contributor is unknown at the\ntime of collection. However, NDIS guidelines prohibit profiles that match a\nsuspect if that profile could reasonably have been expected to be on an item\nat the crime scene or part of the crime scene independent of the crime. For\ninstance, a profile from an item seized from the suspect\xe2\x80\x99s person, such as a\nshirt, or that was in the possession of the suspect when collected is\ngenerally not a forensic unknown and would not be allowable for upload to\nNDIS. The NDIS procedures we reviewed are listed in Appendix II of this\nreport.\n\n\n\n\n       10\n           When a laboratory\xe2\x80\x99s universe of DNA profiles in NDIS exceeds 1,500, our sample\nis taken from SDIS rather than directly from NDIS. See Appendix I for further description of\nthe sample selection.\n\n\n                                            13 \n\n\x0cResults of the OIG Audit\n\n      We selected a sample of 100 profiles out of the 603 forensic profiles\nthe Laboratory had uploaded to NDIS as of February 2, 2011. Of the 100\nforensic profiles sampled, we found 4 were unallowable for upload to NDIS.\nOne of the unallowable profiles belonged to a victim, two were taken from\nthe suspect\xe2\x80\x99s person, and one profile was not collected from evidence found\nat the crime scene. The CODIS Administrator removed these four profiles\nfrom NDIS during our audit work. The remaining 96 profiles sampled were\ncomplete, accurate, and allowable for inclusion in NDIS. The specific\nexceptions are explained in more detail below.\n\nOIG Sample Number CA-13\n\n       Sample Number CA-13 was taken from a pair of blue jeans belonging\nto a suspect in a rape and stabbing. The investigators believed the blue\njeans may have contained the victim\xe2\x80\x99s blood tying the suspect to the crime.\nHowever, the blue jeans were not obtained from the crime scene but directly\nfrom a suspect during the investigation. Because the sample was seized\nfrom the suspect\xe2\x80\x99s person and therefore was not a forensic unknown, the\nresulting profile was not eligible for upload to NDIS. The CODIS\nAdministrator could not explain this submission error and removed the\nprofile from CODIS during our audit work. The Laboratory processed this\ncase in February 2005.\n\nOIG Sample Number CA-23\n\n      Sample Number CA-23 was taken from a jacket belonging to the\nsuspect in a murder. The investigators believed the jacket may have\ncontained the victim\xe2\x80\x99s blood. However, the jacket was not obtained from the\ncrime scene but directly from the suspect at the city jail. Because the\nsample was seized from the suspect\xe2\x80\x99s person it was not a forensic unknown\nand therefore not eligible for upload to NDIS. The CODIS Administrator\ncould not explain this submission error and removed the profile from CODIS\nduring our audit work. The Laboratory processed this case in March 2007.\n\nOIG Sample Number CA-24\n\n       Sample Number CA-24 was taken from a pair of stained boxer shorts\nfound in a hotel room where the suspects were apprehended. The victim\nwas a state trooper who was shot and killed during a traffic stop. Although\nthe investigators found these shorts during their investigation, the shorts\nwere not obtained from the crime scene and the resulting profile was not\neligible for upload to NDIS. The CODIS Administrator could not explain this\n\n                                    14 \n\n\x0csubmission error and removed the profile from CODIS during our audit work.\nThe Laboratory processed this case in June 2007.\n\nOIG Sample Number CA-55\n\n      Prior to our review of the case file, the CODIS Administrator identified\nSample Number CA-55 as belonging to the victim in the crime and removed\nthe profile from CODIS. The sample was taken from a white t-shirt stained\nwith blood found a short distance from the murdered victim\xe2\x80\x99s vehicle. The\nvehicle was located near the suspect\xe2\x80\x99s house and the investigators believed\nthe t-shirt belonged to the perpetrator. However, according to the case file,\nthe DNA profile matched the victim\xe2\x80\x99s standard and was ineligible for upload\nto NDIS. The Laboratory processed this case in December 2003.\n\n       The Laboratory processed the four unallowable profiles discussed\nabove in 2007 or earlier. Of our sample of 100 profiles tested, the\nLaboratory processed 47 profiles after 2007 and we found no unallowables\namong those more-recently processed profiles. While the Laboratory could\nnot provide explanations for the unallowable profiles, it appears from our\npost-2007 sample that the Laboratory is no longer uploading unallowable\nprofiles.\n\nConclusion\n\n       Of the 100 forensic profiles tested, 4 profiles were ineligible for upload\nto NDIS. The remaining 96 profiles were complete, accurate, and allowable\nfor inclusion in NDIS. Of the four ineligible profiles, the Laboratory\nprocessed two of these cases more than 6 years ago and the other two\ncases 4 years ago. Because our sample did not reflect errors in the\nLaboratory\xe2\x80\x99s analysis of samples from the last 4 years, it appears the\nLaboratory is now ensuring that only allowable profiles are uploaded to\nNDIS. Consequently, we made no recommendations concerning our review\nof forensic DNA profiles.\n\n\n\n\n                                       15 \n\n\x0c                                                               APPENDIX I\n\n           OBJECTIVES, SCOPE, AND METHODOLOGY\n\n\n      We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit\nobjectives.\n\n       Our audit generally covered the period from March 2009 through\nFebruary 2011. However, our sample of forensic profiles selected for review\nwas from the Laboratory\xe2\x80\x99s entire universe of forensic profiles. The\nobjectives of the audit were to determine if the: (1) Laboratory was in\ncompliance with the NDIS participation requirements; (2) Laboratory was in\ncompliance with the QAS issued by the FBI; and (3) Laboratory\xe2\x80\x99s forensic\nDNA profiles in CODIS databases were complete, accurate, and allowable for\ninclusion in NDIS. To accomplish the objectives of the audit, we:\n\n  \xef\x82\xb7\t Examined internal and external Laboratory QAS review reports and\n     supporting documentation for corrective action taken, if any, to\n     determine whether: (a) the Laboratory complied with the QAS,\n     (b) repeat findings were identified, and (c) recommendations were\n     adequately resolved.\n\n     In accordance with the QAS, the internal and external laboratory review\n     procedures are to address, at a minimum, a laboratory\xe2\x80\x99s quality\n     assurance program, organization and management, personnel\n     qualifications, facilities, evidence control, validation of methods and\n     procedures, analytical procedures, calibration and maintenance of\n     instruments and equipment, proficiency testing of analysts, corrective\n     action for discrepancies and errors, review of case files, reports, safety,\n     and previous audits. The QAS require that internal and external reviews\n     be performed by personnel who have successfully completed the FBI\xe2\x80\x99s\n     training course for conducting such reviews.\n\n     As permitted by GAS 7.42 (2007 revision), we generally relied on the\n     results of the Laboratory\xe2\x80\x99s external laboratory review to determine if\n\n\n\n\n                                      16 \n\n\x0c       the Laboratory complied with the QAS.11 In order to rely on the work\n       of non-auditors, GAS requires that we perform procedures to obtain\n       sufficient evidence that the work can be relied upon. Therefore, we:\n       (1) obtained evidence concerning the qualifications and independence\n       of the individuals who conducted the review and (2) determined that\n       the scope, quality, and timing of the audit work performed was\n       adequate for reliance in the context of the current audit objectives by\n       reviewing the evaluation procedure guide and resultant findings to\n       understand the methods and significant assumptions used by the\n       individuals conducting the reviews. Based on this work, we\n       determined that we could rely on the results of the Laboratory\xe2\x80\x99s\n       external laboratory review.\n\n   \xef\x82\xb7\t Interviewed Laboratory officials to identify management controls,\n      Laboratory operational policies and procedures, Laboratory certifications\n      or accreditations, and analytical information related to DNA profiles.\n\n   \xef\x82\xb7\t Toured the Laboratory to observe facility security measures as well as\n      the procedures and controls related to the receipt, processing,\n      analyzing, and storage of forensic evidence.\n\n   \xef\x82\xb7\t Reviewed the Laboratory\xe2\x80\x99s written policies and procedures related to\n      conducting internal reviews, resolving review findings, and resolving\n      matches among DNA profiles in NDIS.\n\n   \xef\x82\xb7\t Reviewed supporting documentation for 8 of 32 NDIS matches to\n      determine whether they were resolved in a timely manner. The\n      Laboratory provided the universe of NDIS matches as of February 16,\n      2011. The sample was judgmentally selected to include both case-to-\n      case and case-to-offender matches. This non-statistical sample does\n      not allow projection of the test results to all matches.\n\n   \xef\x82\xb7\t Reviewed the case files for selected forensic DNA profiles to determine if\n      the profiles were developed in accordance with the Forensic QAS and\n      were complete, accurate, and allowable for inclusion in NDIS.\n\n       Working in conjunction with the contractor used by the FBI to maintain\n       NDIS and the CODIS software, we obtained an electronic file identifying\n       the 603 forensic profiles the Laboratory had uploaded to NDIS as of\n\n       11\t\n           We also considered the results of the Laboratory\xe2\x80\x99s internal laboratory review, but\ncould not rely on the results of that review because it was not performed by personnel\nindependent of the Laboratory. Further, as noted in Appendix II, we performed audit\ntesting to verify Laboratory compliance with specific Quality Assurance Standards that have\na substantial effect on the integrity of the DNA profiles uploaded to NDIS.\n\n                                             17 \n\n\x0c     February 2, 2011. We limited our review to a sample of 100 profiles.\n     This sample size was determined judgmentally because preliminary\n     audit work determined that risk was not unacceptably high.\n\n  \xef\x82\xb7\t Using the judgmentally-determined sample size, we randomly selected a\n     representative sample of labels associated with specific profiles in our\n     universe to reduce the effect of any patterns in the list of profiles\n     provided to us. However, because the sample size was judgmentally\n     determined, the results obtained from testing this limited sample of\n     profiles may not be projected to the universe of profiles from which the\n     sample was selected.\n\n      The objectives of our audit concerned the Laboratory\'s compliance with\nrequired standards and the related internal controls. Accordingly, we did not\nattach a separate statement on compliance with laws and regulations or a\nstatement on internal controls to this report. See Appendix II for detailed\ninformation on our audit criteria.\n\n\n\n\n                                     18 \n\n\x0c                                                                     APPENDIX II\n\n                               AUDIT CRITERIA\n\n\n      In conducting our audit, we considered the NDIS participation\nrequirements and the QAS. However, we did not test for compliance with\nelements that were not applicable to the Laboratory. In addition, we\nestablished standards to test the completeness and accuracy of DNA profiles\nas well as the timely notification of DNA profile matches to law enforcement.\n\nNDIS Participation Requirements\n\n       The NDIS participation requirements, which consist of the\nMemorandum of Understanding (MOU) and the NDIS operational procedures,\nestablish the responsibilities and obligations of laboratories that participate\nin NDIS. The MOU requires that NDIS participants comply with federal\nlegislation and the QAS, as well as NDIS-specific requirements\naccompanying the MOU in the form of appendices. We focused our audit on\nspecific sections of the following NDIS requirements.\n\n   \xef\x82\xb7   DNA Data Acceptance Standards\n   \xef\x82\xb7   DNA Data Accepted at NDIS\n   \xef\x82\xb7   QAS Reviews\n   \xef\x82\xb7   NDIS DNA Autosearches\n   \xef\x82\xb7   Confirm an Interstate Candidate Match\n   \xef\x82\xb7   General Responsibilities\n   \xef\x82\xb7   Initiate and Maintain a Laboratory\xe2\x80\x99s Participation in NDIS\n   \xef\x82\xb7   Security Requirements\n   \xef\x82\xb7   CODIS Users\n   \xef\x82\xb7   CODIS Administrator Responsibilities\n   \xef\x82\xb7   Access to, and Disclosure of, DNA Records and Samples\n   \xef\x82\xb7   Upload of DNA Records\n   \xef\x82\xb7   Expunge a DNA Record\n   \xef\x82\xb7   The FBI Flowchart: A Guide to Determining What is Allowable in the\n       Forensic Index at NDIS12\n\n\n\n\n       12\n         The FBI Flowchart is guidance issued to NDIS-participating laboratories separate\n from the MOU and NDIS operational procedures. The flowchart is contained in the 2010\n CODIS Administrator\xe2\x80\x99s Handbook and has been provided to laboratories in forums such as\n CODIS conferences.\n                                          19 \n\n\x0cQuality Assurance Standards\n\n      The FBI issued two sets of QAS: QAS for Forensic DNA Testing\nLaboratories, effective July 1, 2009 (Forensic QAS); and QAS for DNA\nDatabasing Laboratories, effective July 1, 2009 (Offender QAS). The\nForensic QAS and the Offender QAS describe the quality assurance\nrequirements that the Laboratory should follow to ensure the quality and\nintegrity of the data it produces.\n\n       For our audit, we generally relied on the reported results of the\nLaboratory\xe2\x80\x99s most recent annual external review to determine if the\nLaboratory was in compliance with the QAS. Additionally, we performed\naudit work to verify that the Laboratory was in compliance with the QAS\nlisted below because they have a substantial effect on the integrity of the\nDNA profiles uploaded to NDIS.\n\n   \xef\x82\xb7\t Facilities (Forensic QAS and Offender QAS 6.1): The laboratory shall\n      have a facility that is designed to ensure the integrity of the analyses\n      and the evidence.\n\n   \xef\x82\xb7\t Evidence Control (Forensic QAS 7.1): The laboratory shall have and\n      follow a documented evidence control system to ensure the integrity of\n      physical evidence. Where possible, the laboratory shall retain or return\n      a portion of the evidence sample or extract.\n\n   \xef\x82\xb7\t Sample Control (Offender QAS 7.1): The laboratory shall have and\n      follow a documented sample inventory control system to ensure the\n      integrity of the database and known samples.\n\n   \xef\x82\xb7\t Analytical Procedures (Forensic QAS and Offender QAS 9.5): The\n      laboratory shall monitor the analytical procedures using [appropriate]\n      controls and standards.\n\n   \xef\x82\xb7\t Review (Forensic QAS 12.1): The laboratory shall conduct\n      administrative and technical reviews of all case files and reports to\n      ensure conclusions and supporting data are reasonable and within the\n      constraints of scientific knowledge.\n\n      (Offender QAS Standard 12.1): The laboratory shall have and follow\n      written procedures for reviewing DNA records and DNA database\n      information, including the resolution of database matches.\n\n\n\n\n                                      20 \n\n\x0c  \xef\x82\xb7\t Reviews (Forensic QAS 15.1 and 15.2): The laboratory shall be audited\n     annually in accordance with [the QAS]. The annual audits shall occur\n     every calendar year and shall be at least 6 months and no more than 18\n     months apart.\n\n     At least once every 2 years, an external audit shall be conducted by an\n     audit team comprised of qualified auditors from a second agency(ies)\n     and having at least one team member who is or has been previously\n     qualified in the laboratory\xe2\x80\x99s current DNA technologies and platform.\n\n  \xef\x82\xb7\t Outsourcing (Forensic QAS and Offender QAS Standard 17.1): A vendor\n     laboratory performing forensic and database DNA analysis shall comply\n     with these Standards and the accreditation requirements of federal law.\n\n     Forensic QAS 17.4: An NDIS participating laboratory shall have and\n     follow a procedure to verify the integrity of the DNA data received\n     through the performance of the technical review of DNA data from a\n     vendor laboratory.\n\n     Offender QAS Standard 17.4: An NDIS participating laboratory shall\n     have, follow and document appropriate quality assurance procedures to\n     verify the integrity of the data received from the vendor laboratory\n     including, but not limited to, the following: Random reanalysis of\n     database, known or casework reference samples; Inclusion of Quality\n     Control samples; Performance of an on-site visit by an NDIS\n     participating laboratory or multi-laboratory system outsourcing DNA\n     sample(s) to a vendor laboratory or accepting ownership of DNA data\n     from a vendor laboratory.\n\nOffice of the Inspector General Standards\n\n       We established standards to test the completeness and accuracy of\nDNA profiles as well as the timely notification of law enforcement when DNA\nprofile matches occur in NDIS. Our standards are listed below.\n\n  \xef\x82\xb7\t Completeness of DNA Profiles: A profile must include each value\n     returned at each locus for which the analyst obtained results. Our\n     rationale for this standard is that the probability of a false match\n     among DNA profiles is reduced as the number of loci included in a\n     profile increases. A false match would require the unnecessary use of\n     laboratory resources to refute the match.\n\n  \xef\x82\xb7\t Accuracy of DNA Profiles: The values at each locus of a profile must\n     match those identified during analysis. Our rationale for this standard\n\n\n                                    21 \n\n\x0c  is that inaccurate profiles may: (1) preclude DNA profiles from being\n  matched and, therefore, the potential to link convicted offenders to a\n  crime or to link previously unrelated crimes to each other may be lost;\n  or (2) result in a false match that would require the unnecessary use\n  of laboratory resources to refute the match.\n\n\xef\x82\xb7\t Timely Notification to Law Enforcement When DNA Profile Matches\n   Occur in NDIS: Laboratories should notify law enforcement personnel\n   of NDIS matches within 2 weeks of the match confirmation date,\n   unless there are extenuating circumstances. Our rationale for this\n   standard is that untimely notification to law enforcement personnel\n   may result in the suspected perpetrator committing additional, and\n   possibly more egregious, crimes if the individual is not deceased or\n   already incarcerated for the commission of other crimes.\n\n\n\n\n                                 22 \n\n\x0c                                                                            APPENDIX III\n\n        FEDERAL BUREAU OF INVESTIGATION RESPONSE\n\n\n                                                       U. S. Department of Justice\n                                                       Federal Bureau of Investigation\n                                                       Washington D. C. 20535-0001\n\n                                                       June 15, 2011\n\nMr. Ferris B. Polk\nRegional Audit Manager\nAtlanta Regional Audit Office\nOffice of the Inspector General\n75 Spring Street, Suite 1130\nAtlanta, GA 30303\n\nDear Mr. Polk:\n\n               Your memorandum to Director Mueller forwarding the draft audit report for the\nTennessee Bureau of Investigation Memphis Regional Crime Laboratory, Memphis, Tennessee\n(Laboratory), has been referred to me for response.\n\n               As you are aware, your draft audit report contained two recommendations relating\nto the Laboratory\'s compliance with the FBI\xe2\x80\x99s Memorandum of Understanding for Participation\nin the National DNA Index System (NDIS) and Quality Assurance Standards for Forensic DNA\nTesting Laboratories.\n\n               With respect to recommendation one relating to the storage of a copy of the\nCODIS database backup at an off-site, the CODIS Unit has reviewed the Laboratory\'s form for\ndocumenting the monthly transfer of the backup tapes. The form will complement the\nLaboratory\'s security section of its operating procedures. The CODIS Unit supports closure of\nthis recommendation.\n\n               With respect to recommendation two relating to the timely response to requests\nfor NDIS match confirmation, the Laboratory has now provided documentation to prove that it\nwas in contact with the laboratories involved in the forensic matches. The CODIS Unit believes\nthat the Laboratory is now familiar with what is required for confirming matches. The CODIS\nUnit supports closure of this recommendation.\n\n                Thank you for sharing the draft audit report with us. If you have any questions,\nplease feel free to contact Jennifer C. Luttman, Chief of the CODIS Unit at (703) 632-8302.\n\n                                                        Sincerely,\n\n                                                               /s/\n                                                        Alice R. Isenberg, Ph.D\n                                                        Section Chief\n                                                        Biometrics Analysis Section\n                                                        FBI Laboratory\n\n\n                                                23 \n\n\x0c                                                                            APPENDIX IV\n\n         TENNESSEE BUREAU OF INVESTIGATION \n\n     MEMPHIS REGIONAL CRIME LABORATORY RESPONSE \n\n\n\n                       TENNESSEE BUREAU OF INVESTIGATION\n                                         6325 Haley Rd.\n\n                                   Memphis, Tennessee 38134 \n\n                                         (901) 379-3400 \n\n                                    Facsimile (901) 372-5963\n\n\n\nJune 13, 2011\n\nMr. Ferris B. Polk\nRegional Audit Manager\nU.S. Department of Justice\nOffice of the Inspector General\nAtlanta Regional Audit Office\n75 Spring Street, Suite 1130\nAtlanta, GA 30303\n\nDear Mr. Polk,\n\nPlease find below comments and attachments from the Tennessee Bureau of Investigation,\nMemphis Regional Crime Laboratory, regarding the OIG draft audit report on the Compliance\nwith Standards Governing Combined DNA Index System Activities, specifically the Findings\nand Recommendations on pp. 7-9 of the draft report.\n\nI.     Compliance with NDIS Participation Requirements\n\n       \xe2\x80\x9cThe Laboratory complied with NDIS participation requirements tested except that it was\n       not storing a copy of the CODIS database backup at an off-site location and in a lockable\n       container on a monthly basis, and did not respond to a request from another laboratory for\n       confirmation of an NDIS match.\xe2\x80\x9d\n\nRegarding the first finding that no CODIS backup copy was being stored off-site, TBI concedes\nthis shortcoming. Although TBI\xe2\x80\x99s CODIS protocol specifies that a backup tape will be sent to\nanother TBI lab on a monthly basis (refer to the attached p. 2/6 of the Security section of the TBI\nCODIS Protocol), this policy was missed by oversight in the Memphis lab during the abrupt\ntransition from the previous CODIS Administrator. To ensure that this lapse does not occur\nagain, TBI has created a form for documenting the monthly transfer of the backup tapes between\nlabs (please see form attached).\n\n\n\n\n                                               24 \n\n\x0cRegarding the second finding that a confirmation request from another state was disregarded, a\nseries of email communications with the three involved labs has been attached. The emails show\nthat this string of cases involving a common perpetrator had previously been settled between the\nthree labs before TBI\xe2\x80\x99s hit occurred. All three administrators \xe2\x80\x93 xxxxx xxxxxxx xxxx xxxxx\n                                                                           Names redacted.\nxxxxxxxxxxxx xxxxx xxxx xxxxxxxx xxxxxxxx xxxxx xxxxxx xxxx xxxxx xxxxxxx xxx\n                           Names redacted.\nxxxxxx xxxxxxxx xxxxxxxx xxxxx xx xxxxxxxx xxxxxxx \xe2\x80\x93 acknowledge in their\ncommunications the prior hits between the three states. xxxxx xxxxxx xx xxx xxxxx states that\n                                                                Name redacted.\nher lab\xe2\x80\x99s profile matched the standard of a known suspect in the case. From these\ncommunications, TBI inferred that all parties had adequate information to resolve their\nrespective cases prior to the TBI hit.\n\nRegardless, the dialogues show that each laboratory involved in the hit was responded to.\nMichigan State Police requested additional case information, and it was provided. Virginia DFS\nwas informed that the Tennessee case was unsolved; TBI was negligent in exchanging case\ninformation, primarily out of the mistaken idea that the phrase \xe2\x80\x9cmatch confirmation process\xe2\x80\x9d\nreferred to verification of data and exchange of personal information in the context of offenders\nonly.\n\nAccording to the NDIS Confirm an Interstate Candidate Match Operational Procedures, section\n4.3.3, \xe2\x80\x9cif one or more of the cases have been solved and the laboratories exchange this\ninformation, it may not be necessary to proceed with the confirmation process.\xe2\x80\x9d Also, section\n4.3.5 states that, \xe2\x80\x9cfor a solved case matching an unsolved case, the laboratory responsible for the\nsolved case is providing the information relating to a putative perpetrator.\xe2\x80\x9d These guidelines\nwere factors in the confusion and decision that information did not need to be exchanged.\n\nIn full disclosure, most of the documented communication stemming from this forensic hit was\nnot available for review at the time that the auditors were on site and had to be obtained through\nthe other labs after the audit. This lack of documentation surely led the auditors to conclude that\nminimal effort had been made by TBI to resolve or respond to the hits.\n\nTBI appreciates the opportunity to respond to the OIG draft audit report. If I can be of any\nfurther assistance, please do not hesitate to contact me at 901-379-3455.\n\n\nSincerely,\n\n\n     /s/\n\nLoren James\nSpecial Agent Forensic Scientist\nLocal CODIS Administrator\n\nEnclosure\n\n\n\n\n                                               25 \n\n\x0c                                                            APPENDIX V\n\n           OFFICE OF THE INSPECTOR GENERAL \n\n        ANALYSIS AND SUMMARY OF ACTIONS TAKEN \n\n                   TO CLOSE REPORT\n\n\n\n      The OIG provided a draft of this audit report to both the FBI and the\nMemphis Regional Crime Laboratory. The FBI\xe2\x80\x99s response is incorporated in\nAppendix III of this final report. The Memphis Regional Crime Laboratory\xe2\x80\x99s\nresponse is incorporated in Appendix IV of this report. The following\nprovides the OIG analysis of the responses and summary of actions taken to\nclose the report.\n\nSummary of Actions Taken to Close Report\n\n  1. Closed. The Laboratory agreed that it should be storing a monthly\n     backup copy of the CODIS database in an off-site lockable container.\n     The Laboratory identified a protocol that it had in place at the time of\n     our audit, which addressed this NDIS requirement. The CODIS\n     Administrator told us that he was not aware of this protocol. The\n     Laboratory\xe2\x80\x99s response to the draft report states that in response to the\n     audit the Laboratory has established a form to track future compliance\n     with this NDIS requirement. Based on this corrective action, the FBI\n     and the Laboratory requested that we close this recommendation.\n     This recommendation is closed based on steps the Laboratory took to\n     ensure it stores a monthly backup copy of the CODIS database in an\n     off-site lockable container.\n\n  2. Closed. During our on-site review of the Laboratory\xe2\x80\x99s files, we found\n     no documentation showing that the CODIS Administrator responded to\n     an initiating laboratory\xe2\x80\x99s confirmation request. We recommended that\n     the FBI ensure the Laboratory responds to requests for NDIS match\n     confirmations. Along with its response to the draft report, the\n     Laboratory provided documentation showing the CODIS Administrator\n     responded timely via an e-mail to the initiating laboratory\xe2\x80\x99s\n     confirmation request. This documentation was not available to us\n     during the audit, and the CODIS Administrator obtained it from the\n     initiating laboratory after we completed our work. This\n     recommendation is closed based on documentation provided\n     subsequent to the audit showing the Laboratory responded to match\n     confirmation requests.\n\n\n                                    26 \n\n\x0c'